KVM: arm64: Fix page leak in user_mem_abort()

The user_mem_abort() function acquires a page reference via
__kvm_faultin_pfn() early in its execution. However, the subsequent
checks for mismatched attributes between stage 1 and stage 2 mappings
would return an error code directly, bypassing the corresponding page
release.

Fix this by storing the error and releasing the unused page before
returning the error.

Fixes: 6d674e28f642 ("KVM: arm/arm64: Properly handle faulting of device mappings")
Fixes: 2a8dfab26677 ("KVM: arm64: Block cacheable PFNMAP mapping")
Signed-off-by: Fuad Tabba <tabba@google.com>
Reviewed-by: Oliver Upton <oliver.upton@linux.dev>
Signed-off-by: Marc Zyngier <maz@kernel.org>
Cc: stable@vger.kernel.org

diff --git a/arch/arm64/kvm/mmu.c b/arch/arm64/kvm/mmu.c
index 006fdb017c5482b8942984c3e3a710899026355b..61ef7d748e7ac28fcd132c718261ec05e2f274ec 100644 (file)
--- a/arch/arm64/kvm/mmu.c
+++ b/arch/arm64/kvm/mmu.c
@@ -1670,7 +1670,7 @@ static int user_mem_abort(struct kvm_vcpu *vcpu, phys_addr_t fault_ipa,
                         * cache maintenance.
                         */
                        if (!kvm_supports_cacheable_pfnmap())
-                               return -EFAULT;
+                               ret = -EFAULT;
                } else {
                        /*
                         * If the page was identified as device early by looking at
@@ -1693,7 +1693,12 @@ static int user_mem_abort(struct kvm_vcpu *vcpu, phys_addr_t fault_ipa,
        }
 
        if (exec_fault && s2_force_noncacheable)
-               return -ENOEXEC;
+               ret = -ENOEXEC;
+
+       if (ret) {
+               kvm_release_page_unused(page);
+               return ret;
+       }
 
        /*
         * Potentially reduce shadow S2 permissions to match the guest's own